Using Debian Linux, php 4.4.4, with lighttpd I found that the #action form value in a user login block was being set incorrectly resulting in the user being sent to an invalid page resulting a page not found error of:


node?destination=node

In user_login_block the page the user is sent to on login is set with:

    '#action' => url($_GET['q'], drupal_get_destination()),

But on examining drupal_get_destination() if a destination isn't already set then it uses the following to create part of the destination:

    // Use $_GET here to retrieve the original path in source form.
    $path = isset($_GET['q']) ? $_GET['q'] : '';

So the url #action is set to contains the value of $_GET['q'] twice.

I believe that user_login_block should use the following, which works for me:

    '#action' => url(null, drupal_get_destination()),

Lee

CommentFileSizeAuthor
#21 user_login_block_sets-123217-21.patch953 bytesalansaviolobo
#17 drupal-login-block-action-123217-14-do-not-test.patch994 bytesdarren oh
#16 drupal-login-block-action-123217-14.patch1.24 KBdarren oh
#13 user.module-123217-13.patch793 bytesdarren oh
#11 user.module-123217-11.patch801 bytesdarren oh
#10 login_destination_0.patch760 bytesdarren oh
#2 mw_60.patch654 bytesmoshe weitzman
#1 user_login_destination.patch641 bytescburschka

Comments

cburschka’s picture

cburschka
they
commented
Status: Active » Needs review
StatusFileSize
new user_login_destination.patch641 bytes

If you already have a proposed fix, you should use "cvs diff -up modules/user/user.module" from the main drupal directory (in a proper CVS checkout of course) and upload the resulting patch here.

I've simply applied your change in this patch rolled against 5.x-dev.

moshe weitzman’s picture

moshe weitzman commented
StatusFileSize
new mw_60.patch654 bytes

i see no use for that line at all. so here is a patch to remove it.

with this patch applied, try this:

log out,
go to the /admin page, you get access denied.
login using the block with an admin account
you get to /admin.

i think the code here is very old and simply doesn't belong.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Version: 5.1 » 5.x-dev
Assigned: Unassigned » darren oh
Status: Needs review » Needs work

Removing the line doesn't work if the user is on the front page of the site. I need to work on this any way, since the current behavior interferese with code I wrote to redirect users to their account edit page if it is incomplete, so I'm assigning it to myself.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Assigned: darren oh » Unassigned
Status: Needs work » Reviewed & tested by the community

Actually, I'd rather not delay this bug fix. The patch in #1 works and is ready to be committed.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Status: Reviewed & tested by the community » Closed (works as designed)

Just realized that this patch would overwrite the current destination if one were set. The existing code is by design. See CVS commit 21851.

moshe weitzman’s picture

moshe weitzman commented
Version: 5.x-dev » 6.x-dev
Status: Closed (works as designed) » Needs review

darren - please clarify why my patch is not desireable. you said "Removing the line doesn't work if the user is on the front page of the site. " but i don't understand - user will be authenticated and again see home page.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented

I was taken to the user page rather than the home page.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented

Darren, that a change was added a year and a half ago, did not mean this is by design, the environment could have changed (ie. how the destination is computed). Jakub Suchy is also working on an information page for new user logins, which is in relation to this issue: http://drupal.org/node/161496 (this is a simpler issue, but the bigger idea is rooted here, and there is no actual issue yet for the information page feature).

Seems like the patch here needs a bit more testing.

meba’s picture

meba commented

Ad Gabor: http://drupal.org/node/162037

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Assigned: Unassigned » darren oh
StatusFileSize
new login_destination_0.patch760 bytes

Gabor, I set it to "by design" because I believe the original reasons for adding that line still apply. The line only causes problems for servers which don't handle redirection properly. At the same time, this issue is not really about removing the line but about hiding the defect in those servers, which could be accomplished by using NULL if the result of drupal_get_destination() equals $_GET['q'].

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Version: 6.x-dev » 7.x-dev
Assigned: darren oh » Unassigned
StatusFileSize
new user.module-123217-11.patch801 bytes

Updated for Drupal 7.

Status: Needs review » Needs work

The last submitted patch failed testing.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Status: Needs work » Needs review
StatusFileSize
new user.module-123217-13.patch793 bytes

Status: Needs review » Needs work

The last submitted patch failed testing.

neRok’s picture

neRok commented

I was just going over some old core bugs to see if any could be closed. The code in 7.22 is
$form['#action'] = url(current_path(), array('query' => drupal_get_destination(), 'external' => FALSE));
current_path just returns $_GET['q'], so I think the problem still exists. And Drupal8 code seems the same.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Version: 7.x-dev » 8.x-dev
Status: Needs work » Needs review
StatusFileSize
new drupal-login-block-action-123217-14.patch1.24 KB

Embarrassing that this problem still exists. Updated patch attached.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
StatusFileSize
new drupal-login-block-action-123217-14-do-not-test.patch994 bytes

Ported patch to Drupal 7.

alansaviolobo’s picture

alansaviolobo commented
Issue summary: View changes

patch still applies

alansaviolobo queued 16: drupal-login-block-action-123217-14.patch for re-testing.

Status: Needs review » Needs work

The last submitted patch, 16: drupal-login-block-action-123217-14.patch, failed testing.

alansaviolobo’s picture

alansaviolobo commented
Status: Needs work » Needs review
StatusFileSize
new user_login_block_sets-123217-21.patch953 bytes

Status: Needs review » Needs work

The last submitted patch, 21: user_login_block_sets-123217-21.patch, failed testing.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Issue tags: +fldc19

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

quietone’s picture

quietone commented

The action in the user login block was changed to use lazy_builder in #2867703: Change #action in UserLoginBlock to a #lazy_builder to avoid the route cache context , see https://git.drupalcode.org/project/drupal/-/blob/9.3.x/core/modules/user....

pameeela’s picture

pameeela commented
Status: Needs work » Postponed (maintainer needs more info)
Issue tags: +Needs issue summary update, +Needs steps to reproduce

Anyone know whether this is still reproducible in light of all the changes since the last patch?

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
quietone’s picture

quietone commented
Status: Postponed (maintainer needs more info) » Closed (outdated)
Issue tags: +Bug Smash Initiative

There has been no activity here on the patch in 7 years.

Since we need more information to move forward with this issue, and none has been supplied in 8 months I am closing this as outdated. If you are experiencing this problem provide steps to reproduce the issue (starting from "Install Drupal core") and set the status to 'Active'.

Thanks.

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented
Version: 9.3.x-dev » 7.x-dev
Status: Closed (outdated) » Needs review

Still a valid Drupal 7 bug.

poker10’s picture

poker10 commented

I am not able to replicate this bug on clean Drupal 7.88 install. Can you please provide the exactly steps leading to this behavior?

My login block has #action set to: /node?destination=node, but the login and the next redirect is working correctly. No 404 page.

poker10’s picture

poker10 commented
Status: Needs review » Closed (outdated)

I agree with @quietone to close this until there are some steps to reproduce the issue.